Declarative data

Declarative data allows you to explicitly report information related to an asset.

They can be used to create an air-gapped asset or to edit the information of an asset that is already supervised by Cyberwatch to adapt the scan results.

The information to be filled in must respect the syntax described below.

Edit the declarative data of an asset

1. Click on Inventory
2. Select an asset
3. From the page dedicated to the asset, on “Analyses” tab, click on the edit button in front of “Declarative data”
4. Fill in the information about the asset, respecting the syntax
5. Confirm the changes by clicking on the “Update” button

Syntax of the language

Each property is composed of a key/value pair, whose syntax is:

KEY:value

Syntax precision

• The keys are exclusively composed of capital letters and underscores:

   bad_key: → syntax error
   BAD-KEY: → syntax error
   GOOD_KEY:
  

• Lines that do not respect the key:value format also trigger syntax errors

  Note that syntax errors are never fatal, the property will simply not be considered in the analysis.

• Comments start at the beginning of the line with the # character, and extend over the whole line. Since values can contain the # character, commenting a part of the line is not possible

• Multi line values are accepted for some properties, they must have a larger indentation than the property that defines them:

   KEY:start
      ...
      end
  

Forbidding a value

You can forbid a value by preceding the previous syntax with a hyphen. The value will no longer be taken into account by Cyberwatch scans:

-KEY1:value1

All occurrences of KEY1:value1 that follow -KEY1:value1 will be ignored.

The hyphen must be followed by the exact line found during the scan.

Types of properties

Two types of properties are available:

• The simple properties that can only be set once and accept only one value

If the property is redefined, the second value is ignored:

   HOSTNAME:server-1
   HOSTNAME:server-2 → ignored

• The multiple properties which can be filled in several times in the script

They allow you to build a list of elements:

   # Adds 2 packages
   PACKAGE:coreutils|8.32-1
   PACKAGE:bash|5.1.004-1

Note that when editing the information of an asset, the simple properties can be directly rewritten. They will then replace the information reported during scan:

   HOSTNAME:server-1 → remplaces the reported value

However, multiple properties cannot be directly rewritten. For a value to be overwritten, you must forbid it and add a property with the new value.

Use case example:

   # Replace a package version
   -PACKAGE:coreutils|8.31
   PACKAGE:coreutils|8.32

List of main properties

System information

KEY	Impact	Example KEY:value	Simple/Multiple
HOSTNAME	Defines the asset name	HOSTNAME:server	Simple
KERNEL_VERSION	Defines the version of the OS kernel	KERNEL_VERSION:5.4.0-42-generic	Simple
OS_NAME	Defines the name of the asset’s operating system	OS_NAME:Ubuntu	Simple
OS_VERSION	Defines the version of the operating system	OS_VERSION:20.04.1 LTS	Simple
OS_PRETTYNAME	Defines the operating system and its version	OS_PRETTYNAME:Ubuntu 20.04.1 LTS	Simple
ARCH	Defines the asset’s architecture	ARCH:x86_64	Simple

System state

KEY	Impact	Example KEY:value	Simple/Multiple
REBOOT	Sets the asset status to ‘Restart required’	REBOOT:false	Simple
BOOT_TIME	Sets the start date and time	BOOT_TIME:2021-03-18T07:38:59+0000	Simple

Services

KEY	Impact	Example KEY:value	Simple/Multiple
SERVICE	Adds a line to the Services tab	SERVICE:ssh|enabled	Multiple

Installed packages/applications

KEY	Impact	Example KEY:value	Simple/Multiple
PACKAGE	Adds a package to the asset’s technologies	PACKAGE:firefox|80.0.1+build1-0ubuntu0.20.04.1	Multiple
APPLICATION	Adds an application to the asset’s technologies	APPLICATION:Microsoft Office 365 ProPlus - en-us1|6.0.11328.20512	Multiple
NVD_APPLICATION	Adds a third-party application from its CPE code in the NVD database	NVD_APPLICATION:cpe:/a:elastic:kibana:7.0.0	Multiple
FIRMWARE	Specifies the CPE code of the firmware of an appliance	FIRMWARE:cpe:/o:stormshield:stormshield_network_security:3.8.1	Multiple
META	Adds a line to the Metadata tab	META:processor-version|Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz	Multiple

Network information

KEY	Impact	Example KEY:value	Simple/Multiple
IP	Defines the IP addresses of the asset with or without subnet mask	IP:127.0.0.1 or IP:127.0.0.1/8 or IP:127.0.0.1/255.0.0.0	Multiple
TCP	Adds a TCP port to the Ports tab	TCP:22 or TCP:22|openssh	Multiple
UDP	Adds an UDP port to the Ports tab	UDP:53	Multiple

Windows specific properties

KEY	Impact	Example KEY:value	Simple/Multiple
OS_BUILD	Defines the Windows build	OS_BUILD:17763.1158	Simple
WUAVERSION	Sets the version of the Windows Update Agent	WUAVERSION:10.0.17763.1	Multiple
CAB_FILENAME	Sets the name of the official Microsoft file used for this scan	CAB_FILENAME:dcdb9e78484667695627acea9213897eaf.cab	Simple

SAP specific properties

KEY	Impact	Example KEY:value	Simple/Multiple
SAP_NOTE	Adds a SAP note to the asset	SAP_NOTE:3119365	Multiple

Security issues

KEY	Impact	Example KEY:value	Simple/Multiple
SECURITY_ISSUE	Adds a line to the Security Issues tab	SECURITY_ISSUE:    sid: WSTG-CRYP-04 (low)    cipher: TLS_RSA_WITH_AES_128_CBC_SHA    grade: A    port: 443	Multiple
sid	Identifies the security issue’s reference	SECURITY_ISSUE:    sid: WSTG-ATHN-02	Simple
cipher	Indicates a weak cipher	SECURITY_ISSUE:    sid: WSTG-CRYP-04 (low)    cipher: TLS_RSA_WITH_AES_256_CBC_SHA	Simple
port	Associates a port with the security issue	SECURITY_ISSUE:    sid: WSTG-CRYP-04 (low)    port: 443	Simple
info	Provides additional details	SECURITY_ISSUE:    sid: WSTG-CONF-07    path: "/login.php"    method: GET    info: HttpOnly flag is not set in the cookie: language	Simple
method	Indicates the HTTP request method used	SECURITY_ISSUE:    sid: WSTG-CONF-07    path: "/login.php"    method: GET	Simple
path	Points to the access path	SECURITY_ISSUE:    sid: WSTG-CONF-07    path: "/login.php"	Simple
parameter	Defines the vulnerable parameter	SECURITY_ISSUE:    sid: WSTG-INPV-01    info: XSS vulnerability found via injection in the parameter id    parameter: id	Simple
http_request	Details the associated HTTP request	SECURITY_ISSUE:    sid: WSTG-INPV-01    path: "/login.php"    parameter: id    http_request: |−       GET /login.php HTTP/1.1       host: website.test	Simple
curl_command	Shows the corresponding curl command	SECURITY_ISSUE:    sid: WSTG-CONF-07    curl_command: curl "<https://website.test/login.php>"	Simple
description	Describes the security issue	SECURITY_ISSUE:    sid: WSTG-CONF-07    description: HTTP Strict Transport Security	Simple
protocol	Specifies the weak protocol	SECURITY_ISSUE:    sid: Telnet-port    protocol: TCP	Simple

Network Devices

KEY	Impact	Example KEY:value	Simple/Multiple
FIRMWARE	Specifies the CPE code of the firmware of an appliance	FIRMWARE:cpe:/o:stormshield:stormshield_network_security:3.8.1	Multiple
HARDWARE	Specifies the CPE code of the hardware of an appliance	HARDWARE:cpe:2.3:h:sonicwall:nssp_15700	Multiple